lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEkJfYOP_fDODxtNc5SvYeYgbvQ86FPLhaecQQXExqtFBbEgyQ@mail.gmail.com>
Date: Tue, 16 Apr 2024 14:42:41 +0800
From: Sam Sun <samsun1006219@...il.com>
To: Jay Vosburgh <jay.vosburgh@...onical.com>
Cc: Hangbin Liu <liuhangbin@...il.com>, linux-kernel@...r.kernel.org, 
	netdev@...r.kernel.org, andy@...yhouse.net, davem@...emloft.net, 
	Eric Dumazet <edumazet@...gle.com>, kuba@...nel.org, pabeni@...hat.com
Subject: Re: [PATCH net v1] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

On Mon, Apr 15, 2024 at 11:43 PM Jay Vosburgh
<jay.vosburgh@...onical.com> wrote:
>         The submitting-patches.rst file in Documentation/ isn't
> explicit, but the intent seems to be that Reported-by is for a bug
> report from a third party that isn't involved in creating the fix.  I
> don't think you need it here, just a Signed-off-by.
>

Sure, I will change it in my next submission.

> >> > Signed-off-by: Yue Sun <samsun1006219@...il.com>
> >> > ---
> >> >  drivers/net/bonding/bond_options.c | 3 ++-
> >> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >> >
> >> > diff --git a/drivers/net/bonding/bond_options.c
> >> > b/drivers/net/bonding/bond_options.c
> >> > index 4cdbc7e084f4..db8d99ca1de0 100644
> >> > --- a/drivers/net/bonding/bond_options.c
> >> > +++ b/drivers/net/bonding/bond_options.c
> >> > @@ -1214,7 +1214,8 @@ static int bond_option_arp_ip_targets_set(struct
> >> > bonding *bond,
> >> >      __be32 target;
> >> >
> >> >      if (newval->string) {
> >> > -        if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
> >> > +        if (!(strlen(newval->string)) ||
> >> > +            !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) {
> >> >              netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
> >> >                     &target);
> >>
> >> Do we need to init target first if !(strlen(newval->string)) ?
> >>
> >Good question. I think we don't need to init target first, since in
> >original logic in4_pton() also leave target untouched if any error
> >occurs. If !(strlen(newval->string)), bond_option_arp_ip_targets_set()
> >just ret and target is still untouched. But I am not sure about it.
>
>         I think the original code is incorrect, as target will be
> uninitialized if in4_pton() fails.  The netdev_err() message shouldn't
> include target at all, it will never contain useful information.
>
>         -J

Yes I think you are right. I will remove the target address in fmt
string in my next submission.

Best,
Yue

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ